Luma Event Manager

v2.1.1

Luma Event Manager for Clawdbot — Discover events by topic or location, RSVP, view guest lists, and sync to Google Calendar. No API key required (web scraping), no Luma Plus subscription needed.

⭐ 0· 2k·1 current·1 all-time

by@mariovallereyes

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

!

Purpose & Capability

The SKILL.md and code files implement web scraping, RSVP, and Google Calendar sync (via the gog CLI) which matches the description. However the registry metadata earlier reported no required binaries or homepage while SKILL.md metadata requires the 'pass' binary and references the 'gog' CLI — those binaries are reasonable for the stated features but their omission from the registry is an inconsistency that reduces trust.

!

Instruction Scope

Runtime instructions ask the user to export lu.ma session cookies and store them in pass. That gives the skill access to authenticated user sessions (host/guest lists, RSVP). The SKILL.md does not instruct reading any unrelated system files, but the explicit request to store session cookies in pass is a sensitive operation and could be abused if the skill reads them automatically.

ℹ

Install Mechanism

There is no registry install spec, but SKILL.md includes an npm install step and the package.json + package-lock.json are present — installing will fetch npm dependencies (moderate risk). No remote binary download or obscure URL is used in the provided instructions, which reduces install risk, but you should inspect package.json dependencies before running npm install.

!

Credentials

The skill requires sensitive credentials in practice (lu.ma session cookies) and relies on local CLIs ('pass' to store/read cookies, and optionally 'gog' for Google Calendar). The registry metadata lists no required env vars/binaries while SKILL.md requires 'pass' and references 'gog' — this mismatch is troubling because it understates the level of access needed to operate and to be useful.

!

Persistence & Privilege

The skill is not marked always:true, but disable-model-invocation is not set; that means the model could invoke the skill autonomously. Because the skill accesses session cookies via pass and can perform authenticated actions (view guest lists, RSVP), allowing autonomous invocation without additional safeguards increases the risk of unintended account access.

What to consider before installing

Things to consider before installing: - Confirm the author/repo (SKILL.md points to a GitHub repo) and review the source code (especially src/scraper.ts, src/rsvp.ts, and package.json) for any network endpoints other than lu.ma and Google. - Understand that using this skill for authenticated actions requires you to supply lu.ma session cookies; the SKILL.md recommends storing them in pass. Only do this if you trust the code, and prefer temporary credentials or manual, per-use entry if possible. - Inspect package.json and dependencies before running npm install to ensure no malicious packages will be installed. - Consider disabling model-initiated invocation of the skill (disableModelInvocation=true) or requiring explicit user prompts before any authenticated action (RSVP, viewing guest lists, syncing calendars). - Verify that the skill only communicates with lu.ma and Google endpoints; if you find hard-coded external URLs in the code, do not install. - If you are uncomfortable storing session cookies in pass, refuse providing them and use the skill only in public/discovery mode. If you want, I can fetch and summarize the package.json and key source files to point out any suspicious network calls or uncommon dependencies.

Like a lobster shell, security has layers — review code before you run it.

latestvk975q07jm9es59r79j51cx2rnx807bgd

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Luma Event Manager

Manage Luma events as both host and attendee via web scraping (no API key required).

Features

Public (No Auth)

Discover events near any location
View event details
Geographic filtering

Authenticated (With Cookies)

View your RSVP'd events
View events you're hosting
Access guest lists
RSVP to events
Sync events to Google Calendar (via gog CLI)

Triggers

Discover Events (Public)

"luma search AI" — Find events by topic/theme
"luma search startup near San Francisco" — Topic + location
"luma events near San Francisco"
"luma events near Belmont this weekend"
"luma event ai-meetup-sf"

Host Mode (Auth Required)

"luma host events" — List your hosted events
"luma host guests <slug>" — View guest list

Attendee Mode (Auth Required)

"luma my events" — Your RSVP'd events
"luma rsvp <slug> <response>" — RSVP yes/no/maybe/waitlist

Utility

"luma configure" — Set up authentication
"luma status" — Check connection
"luma help" — Show help
"luma add calendar <slug>" — Add event to Google Calendar

Setup

Basic (Public Events Only)

No setup required. Just use discover commands.

Full Access (Your Events + Guest Lists)

Log into lu.ma in your browser
Open DevTools (F12) → Application → Cookies → lu.ma
Copy cookie values: luma_session, luma_user_id
Store in pass:

pass insert luma/cookies
# Enter: {"luma_session": "value", "luma_user_id": "value"}

Calendar Sync (Optional)

Requires the gog CLI with an authorized Google account.

gog auth add you@example.com

Then:

"luma add calendar <slug>"
"luma add calendar <slug> --account you@example.com"
"luma add calendar <slug> --calendar_id primary"

Examples

"Events near me this weekend"
"What's the AI meetup about?"
"luma event startup-pitch-night"
"Show my upcoming events"

Notes

Uses web scraping (no paid Luma Plus required)
Exponential backoff with a 1 req/sec floor to respect lu.ma
Fallback selectors + Next.js JSON parsing with warnings when selectors fail
Cookie auth for private data
Public events always accessible

Files

13 total

Select a file

Select a file to preview.

Comments

Loading comments…